334 vulnerabilities found in Oracle; security patches already available

On a regular basis, technology companies’ vulnerability testing teams release updates to their systems, ensuring the proper functioning of their developments, as well as preventing the exploitation of recently found security flaws.

This is a permanent task, as threat actors don’t stop their search for new attack methods, thus sometimes companies must release dozens, even hundreds of updates to keep their systems secured. This is the case of Oracle, which has just released its first Critical Patch Update (CPU) of the year, consisting of 334 security patches aimed at fixing potential flaws in 94 different products.

This figure equals the record for fixes released in the same update package, set on the January 2018 Oracle CPU. Among the main 2020 CPU releases are two vulnerabilities present in Oracle Human Resources that received a score of 9.9/10 on the CVSS scale. Oracle vulnerability testing teams emphasize that authentication is required to exploit this flaw.

Other 31 vulnerabilities present in various products received a score of 9.8/10; affected deployments include:

  • Oracle WebLogic
  • Oracle Communications Instant Messaging Server
  • Enterprise Manager Ops Center
  • Oracle Application Testing Suite
  • Hyperion Planning, among others

During the last few weeks the company received reports on exploitation of these flaws in the wild, so system administrators are advised to install this set of security patches as soon as possible.

In addition to the aforementioned errors, vulnerability testing experts reported at least a dozen vulnerabilities in Oracle Database Server exploitable remotely and without authentication. On average, these errors received a score of 7.7/10 on the CVSS scale. In addition, at least 25 vulnerabilities were fixed in Oracle Communications Applications, including 20 remotely exploitable without authentication flaws. Other potentially affected products include Oracle Fusion Middleware and the Oracle E-Business suite.

According to the International Institute of Cyber Security (IICS), at least 190 of the flaws corrected on this Oracle CPU are exploitable remotely and without the need for authentication in the target system. The next Oracle CPU is scheduled to be released on July 14.